This function will help to prevent an SQL injection attack from being carried out against your website's login form. It probably won't stop EVERY variation of such an attack, but it'll give you some measure of security.
PHP Example :
#
# login.htm
#
<!DOCTYPE html PUBLIC "-//W3C//XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>MyWeb.com Login</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
</head>
function anti_injection( $user, $pass )
{
# We'll first get rid of any special characters using a simple regex statement.
# After that, we'll get rid of any SQL command words using a string replacment.
# Now to make sure the given password is an alphanumerical string
# devoid of any special characters. strtolower() is being used
# because unfortunately, str_ireplace() only works with PHP5.
# Now to make an array so we can dump these variables into the SQL query.
# If either user or pass is NULL (because of inclusion of illegal characters),
# the whole script will stop dead in its tracks.
if ( in_array ( NULL, $array ) )
{
die ( 'Hacking attempt. Go play someplace else, you script kiddie.' );
}
else
{
return $array;
}
}
# Now to filter the login data through the Anti-Injection Attack function
# and assign the results to an array. The values used are assuming the
# login form itself is using the POST method, and the username and
# password fields were given the names of "user" and "pass"
# respectively. This works with the GET method, too, but
# I *STRONGLY* advise you not to use it.
Home
